{"rewrite":{"id":"r_24329c940d7c8d1af6c29503","clusterId":"c_01ad421ef25ec9cd21080ba4","slug":"11-million-user-youtube-ad-blocker-has-dangerous-execution-path-security-firm-warns","model":"deepseek-v4-flash","headline":"11 Million-User YouTube Ad Blocker Has Dangerous Execution Path, Security Firm Warns","summary":"Enterprise browser company Island reported that the Chrome extension \"Adblock for YouTube,\" installed over 11 million times, has a design flaw where a single server-side configuration change could allow arbitrary JavaScript execution in users' browsers. Island has not confirmed malicious code distribution but says the dangerous execution path exists.","whyItMatters":"The extension's combination of broad permissions and a server-controlled scriptlet mechanism means a compromised or malicious update to its settings server could turn a trusted ad blocker into a data-stealing tool for millions of users.","webCardHtml":"\u003cp\u003eEnterprise browser company Island has identified a security vulnerability in the Chrome extension \u0026#34;Adblock for YouTube,\u0026#34; which has been installed over 11 million times. The extension requests permissions for all URLs and fetches settings from an external server every 24 hours. Those settings include a field called \u0026#34;scriptletsRules\u0026#34; that can instruct the extension to execute built-in JavaScript functions with server-specified arguments. Island demonstrated that one such scriptlet, \u0026#34;trusted-create-element,\u0026#34; can inject arbitrary JavaScript into any page the extension can access, including webmail, banking sites, and internal business tools. In a proof of concept, Island showed the extension reading account information from Salesforce and sending it to a mock server. Island stated it has not observed any malicious payloads being delivered in the wild, but warned that the architecture makes a supply-chain-style attack possible with only a server-side change.\u003c/p\u003e","blueskyPost":"Adblock for YouTube's design flaw means the extension's 11 million users are one server update away from arbitrary code execution. The security firm found the vulnerability in the extension's update mechanism itself.","twitterPost":"Adblock for YouTube's 11M users are at risk: a server change enables arbitrary JavaScript execution. The flaw is in the extension's update mechanism.","threadsPost":"Adblock for YouTube has 11 million users and a design flaw that lets a server config change execute arbitrary JavaScript in their browsers. The security firm Island found the vulnerability in the extension's own update mechanism. No malicious code has been confirmed yet, but the path exists.","newsletterBlurb":"Enterprise browser company Island has identified a dangerous execution path in the Chrome extension \"Adblock for YouTube,\" installed over 11 million times. A single server-side configuration change could allow arbitrary JavaScript execution in users' browsers. Island has not confirmed any malicious code distribution but warns the architecture enables a supply-chain-style attack.","attributionJson":"[{\"source\":\"GIGAZINE\",\"url\":\"https://gigazine.net/news/20260626-island-badblocker/\",\"title\":\"1100万DLのYouTube広告ブロック拡張に「サーバー変更だけで任意JavaScript実行可能」との指摘\"}]","lintFlagsJson":null,"lintHits":0,"costUsd":0,"inputTokens":4150,"outputTokens":572,"status":"published","repairAttempts":0,"nextRepairAt":null,"factsAttemptedAt":1782601944,"createdAt":"2026-06-27T23:06:11.000Z","publishedAt":"2026-06-27T23:10:24.000Z","updatedAt":"2026-06-27T23:10:24.000Z"},"cluster":{"id":"c_01ad421ef25ec9cd21080ba4","canonicalTitle":"1100万DLのYouTube広告ブロック拡張に「サーバー変更だけで任意JavaScript実行可能」との指摘","representativeArticleId":"a_e098fc591adbf50e5b808c31","sourceCount":1,"writtenSourceCount":1,"writeAttempts":0,"isSolo":true,"entitiesJson":"{\"anime_titles\":[],\"manga_titles\":[],\"work_titles\":[],\"studios\":[],\"people\":[],\"type\":\"news\",\"domain\":\"other\",\"is_roundup\":false}","contentType":"news","status":"published","firstSeenAt":"2026-06-26T03:50:00.000Z","lastSeenAt":"2026-06-26T03:50:00.000Z","updatedAt":"2026-06-27T23:10:24.000Z"},"attribution":[{"source":"GIGAZINE","url":"https://gigazine.net/news/20260626-island-badblocker/","title":"1100万DLのYouTube広告ブロック拡張に「サーバー変更だけで任意JavaScript実行可能」との指摘"}],"entities":{"anime_titles":[],"manga_titles":[],"work_titles":[],"studios":[],"people":[],"type":"news","domain":"other","is_roundup":false},"keyFacts":["Island demonstrated that the 'trusted-create-element' scriptlet can inject arbitrary JavaScript into any page the extension can access, including webmail, banking sites, and internal business tools.","In a proof of concept, Island showed the extension reading account information from Salesforce and sending it to a mock server.","Island has not confirmed any malicious code distribution but warned that a single server-side configuration change could enable a supply-chain-style attack."]}
